The Federal Trade Commission should be allowed to impose more robust civil penalties to ensure corporate America is protecting consumer data, according to a new report on Tuesday, coming after a massive Equifax breach in 2017 exposed the personal information of roughly 148 million people.
The report – requested from the Government Accountability Office by Sen. Elizabeth Warren, D-Mass., and Rep. Elijah Cummings, D-Md. – also suggests that consumer reporting agencies be required to register with the Consumer Financial Protection Bureau, the independent department mandated as part of the 2010 Dodd-Frank law that polices banks, payday lenders and other financial institutions.
“FTC lacks a practical enforcement tool for imposing civil money penalties that could help to deter companies, including [consumer reporting agencies], from violating data security,” the report states. “Identifying additional sources of information on these CRAs... could help CFPB ensure that it can comprehensively carry out its supervisory responsibilities.”
GAO says Americans often do not have a choice in picking a consumer reporting company if they are dissatisfied with one’s privacy or security protocols, intensifying the need for appropriate federal oversight of the industry.
Democrats and Republicans alike have seized on the Equifax breach as evidence that stronger consumer data protection laws are required. Last month, the House Financial Services Committee held a hearing on credit bureaus and the Equifax breach, during which Chairwoman Maxine Waters, D-Calif., called for reforms to the industry -- including bolstering the ability of consumers to appeal disputes on credit reports.
"To credit reporting bureaus, consumers aren't consumers. They are commodities,” she previously said.
In releasing the report, Warren – who is running for the Democratic nomination for president in 2020 – and Cummings said the breach “revealed majors gaps in how CRAs protect and use consumers’ private information.”
“We need to give the FTC more tools to crack down on consumer data abuses and the CFPB needs to do its job, hold these firms accountable, and protect consumers,” the lawmakers wrote.
While the FTC is able to impose penalties as part of settlements, it does not extend to violations related to federal privacy laws. The agency is able to seek financial remedies for affected consumers, but “assessing monetary harm can be difficult,” according to GAO.
“It can be difficult to trace instances of identity theft to specific data breaches,” the office wrote. “Consumers may not be aware that their identities have been stolen as a result of a breach and or identity theft, and related harm may occur years in the future.”